Chronic Dev Blog

OK, will you let us work in peace now?

edit: duh, it’s still being worked on obviously. but stop commenting and asking us to release. if you want tethered, go to http://blackra1n.com/ and use that, it’s wonderful. if you want untethered, then wait, complaining will get you absolutely nowhere. at this point I don’t care about the comments, and people posting “UNTETHERED RELEASE NOW NOW NOW” will just make me spite you more and make ideas like “wouldn’t it be fun to delay untethered jb 2 months past when it’s ready just to teach these people a lesson?” come onto the table. so seriously, stop. go away. (stop complaining about what I just said, I’m obviously not serious. who would work on something and devote time and energy into it if they were going to delay the release because of opinions they don’t care about? )

don’t trust anyone commenting as “admin” in regards to release dates or what have you. only trust these posts. someone with the IP “122.108.143.240″ is pretending to post as admin, but is not the admin.

quick question guys, what do you mostly use your jailbreak for? while it won’t exactly make me happy, saying you use it to pirate will not make the jailbreak less likely to come out either. the reason I am asking what you guys use it for is different than if you pirate or not, do not worry, just be honest because I want to get a feel for the majority of the ppl.

edit: maybe this will give ppl some perspective… http://www.twitlonger.com/show/1c63i

also, the IP of the person impersonating Santiago: 72.154.123.209′

regarding donations: look, we are doing the best we can. complaining and asking for donations back is extremely stupid, however. it clearly shows that you do not know the meaning of the word “donation”. without the donations, we would have never been able to even start, because a device was needed. just because we have a device does not mean the development process is completely over with and complete. and people, I can look up who donated. I have a list of names and email addresses of the people that did, and how much they donated. so lying in the comments does not help at all. a random example: somebody claimed to have donated $50. I took a look, and nobody had donated that much, it was a lie. If I could be bothered to check again, maybe I can check if that guy donated at all. but that’s not the point. If you really didn’t want to donate, you didn’t have to.

Introduction
People in the comments have been going insane about greenpois0n and its release, so we felt it was time for some clairification.

At this point, greenpois0n is being developed into something more than your standard jailbreak software. Greenpois0n will come as two basic parts. The backend (when the source is released for everyone) will serve as a "development platform" for iboot level code, similar to the metasploit project. Whether you want to poke&peek at registers, or you are writing a payload that serves a specific purpose, the greenpois0n backend will make the job ten-fold easier.

The frontend for us, will be the NOR patcher (this patches bootloaders to not perform signature checks, to boot in "engineering" mode @ every boot, to not check ECID or TYPE tags when parsing firmware, patches the device tree for secure mode and allow encryption keys in userland, and does all of the regular kernel patches + some more) and the filesystem jailbreaker portion. This will all run in under 1min and have no dependencies on the current running iBoot, so technically if say, 3.2 was vulnerable, it could be made compatible in less than an hour or so. Same for using it with a different iBoot exploit, you would just need to plug in a custom loader appropriate to the exploit.

Why don’t we just release something like George Hotz’s blackra1n?
There is no point, as blackra1n satisfies the original tethered jailbreak goal.

What is greenpois0n? (In jailbreaking terms)
Current plans are releasing a "lite" greenpois0n that supports only iPod touch 3G, as well as the updated bootrom ipt2/3G[s]. After gplite is applied, your device will be able to be used normally with Apple and App Store apps on a normal boot, then when you connect to our program and boot you will be able to use your Cydia apps as well. This is known as a “semi-tethered” jailbreak, basically meaning you can reboot normally (especially important for people with new 3G[s]) and use it as a normal iPod / iPhone, and then connect to your computer and boot when you get home or whatever to use Cydia apps and such. Later on, a full featured version of greenpois0n will be released, followed closely by the source for the backend.

Why don’t you just release it NOW!
Either use George Hotz’s blackra1n or wait patiently.

Since people didn’t read what I said in the comments, yes greenpois0n is still being developed and yes it will be released by the end of the year.

Many comments to the last post have some intelligent answers about why to release now, then most being “OMG RELEASE NOW PLZ”, and then intelligent answers about why it should be saved until June. If people that want it to be released now could at least post some comments about their reasoning, that would help, because it would basically mean burning an exploit that could be used for a 4th generation of devices.

To the people that want it now: What exactly do you want the untethered jailbreak for? Is tethered really that bad?

Here are some other options that I would like to hear people’s opinions on:
- Release for all devices tethered
- Release for all devices semi-tethered (will take a bit longer to put together, but just throwing it out there…)

I give the above options because I want to weed out the people with the 8GB iPod touch 3G or other unjb’able devices at the time and have them know that they are set, and that I really should have said this in the previous post. What I am really wondering is any good reasons that people can’t put up with a tethered or semi-tethered jailbreak until june? If we do tethered, I will probably spend some time creating a tutorial for how to make a booting dongle, so you don’t always have to be around a computer.

Thanks for your patience.

PS: To weed out those that think greenpois0n is a hoax altogether, it is not. It is thousands of lines of code and when we open source it shortly after release, it is designed to be a development platform for anyone that needs to run iBoot level code for whatever reason, whether you want to use the AES engine, dump something over serial, etc. You can do it with ease using this setup. Also, it is designed to be adaptable to any other iBoot injection vector that is found for future firmware versions, so that it will not take forever for us to release it But all of the details are for a later post. (omg leaks)

One major part of greenpois0n is we want all devices to be untethered. Some people on IRC have brought up something of concern though. Getting a bootrom exploit is not easy, and if any are found, they need to be kept under wraps because of that. The question I wonder is, after all of the people getting pissed off when we documented the usb 0×21,2 exploit, how many people think that if a bootrom exploit exists, it should be saved until new iPhone in June? or new tablet when that comes out? or just released now for ppl with updated ipt2/iphone3g bootrom or ipt3? No descisions will be based soley on your input, as obviously all members of the group have to vote and decide on these delicate issues, but I am just wondering what the general feeling is among everyone? Keep in mind, if something is released now, tablet is at risk for having it fixed. if we release for tablet, next rev of iphone / ipod touch is at risk for having it fixed. if we release on release of new iphone this summer, then we are set for a year until the NEXT rev, since they wouldn’t update the bootrom of current ones as they would be busy making new revisions of the device anyway?

What do you think?

3.1.2 is just an RR update to correct some bugs, nothing is different at all in iBoot or any of the other firmware files, although I think there were some kernel changes. greenpois0n still works just fine.

Had a long talk with geohot, big misunderstanding, he apologized, etc. Several people have offered to back me in the event of a PayPal issue, but they said it was doubted that this would happen. Now that My mind is at ease it is time to get back to work. Thanks for all of your generosity.

EDIT 2: To clarify, this post was moreso directed at those who thought we were “showing our cards to Apple”, or those that thought that we stole the exploit from geohot and published it.

EDIT: I would like to thank geohot for correcting himself, indeed he had worded the tweet badly : http://twitter.com/geohot/status/4666542287

Although I said no comments, I will enable them for this post only.

In mid July, pod2g and westbaer came across an exploit that allowed us to write to 0×0 while iBoot was running. We develop upon it for awhile and finally get it working and able to execute code. We toss it in the backburner and start looking for more, occasionally working on the greenois0n payload.

This month comes around with release of ipt3 and we go into overdrive. We wanted to make greenpois0n perfect and easy to use, not to mention fast like purplera1n. I didn’t have the money for an ipt3 at the time so I had a chipin to raise funds. I got about $200, and had enough in my bank account to cover the remaining $100. Headed down to Best Buy on Saturday of release week and picked one up, then the testing started. As I have said before, we wanted to make this perfect and bug-free, so it was taking awhile. Soon, people started commenting and emailing me complaints about it taking so long. I can handle this.

Then, I start getting ppl threatening to file a dispute with PayPal to get a refund. This is an issue, not because they don’t realize that these were donations, but because PayPal usually sides with the “buyer”, as I have heard in many PayPal horror stories. I have heard of them freezing peoples accounts and even dipping into the person’s bank account to refund people. Naturally I start to worry, and I can’t exactly do much more than devote more time to GP. So I start spending more time on the payload, no problem. We have decryption keys @ this point, other’s are close to getting bootrom, all is well. Then geohot came in the private IRC room, I believe last night, and suggested something that I won’t name now since it’s still his workaound that he might have wanted to keep under wraps, but it was a sly solution to a certain roadblock that may have made things more annoying for the user on release. We put it on the to-do list. All is well. Hours later, he posts the “Meet The Family” blog post, and joins our room saying that he just picked up and ipt3 and he was going for the jb.

At this point I should probably mention that we have given him the password to our private development room and welcome him there. We had told him sometime in August about this, and he said “yeah, I saw that when researching usb put stuff”. That is what the truth is to this tweet. Although there is no hash, due to his prior trustworthyness, we all believed him. Again, we had found and implemented this all on our own, the only thing that geohot did, which we are trusting that he is telling the truth about, was find the vulnerability on his own, totally seperate from us. I would like to believe that the tweet was misworded, but the way he said it make it sound extremely like he was saying we stole it form him and were taking credit.

Anyway, back to the “story”. Some people started saying that I was an all out scammer and when geohot released first they would dispute their donation because it “seemed like it was all an elaborate hoax to get a free iPod touch”. This concerned me more. We weighed our options, talked to some people, and many agreed that it might be a good idea to wiki the exploit. This was for a few reasons:
- We knew that we could not get greenpois0n completely finished in time. We needed a perfectly safe NAND write, a ported over 24kPwn, and more to make it totally stable.
- Geohot would release in a few days anyway, so “hiding the exploit from Apple” was not a concern at all.
- We had done a lot of research on the exploit, how it worked, and why it worked, and had everything written up. If Geohot would release in a few days, and we knew we couldn’t do anything, why not share what we already knew with the community? Geohot usually writes up short descriptions and gradually adds on when it comes to exploits, while we already had a nice write-up already made.
- Again, Geohot said a few days, so the idea that we were giving anything to Apple is false, since they would have had it in “a few days” anyway.
- This would cause people to stop hounding about progress + threats to dispute their donation, because it would show that their money went to good use.

Unfortunately, it didn’t turn out too great. Geohot claimed credit for some reason, and now we are a lot of flak for this gross misconception. And here we are, now trying to get across the situation to the angry mob that has seemed to form.

Too many idiots. Go complain somewhere else. Apologies to the people trying to have civilized discussions, you can just use ipodtouchfans.com or something for now.

http://www.theiphonewiki.com/wiki/index.php?title=Usb_control_msg%280×21%2C_2%29_Exploit